Amendments to the Claims: 

Please replace all prior versions, and listings, of claims in the application with the 
following: 

1 . (currently amended) In a distributed network having a number of server 

computers and associated client devices, a network virus defense system, comprising: 

a traffic controller coupled to the virus sensor and the network arranged to select 
certain data packets wherein the selected data packets or a copy of the selected data 
packets are forwarded to the virus sensor; 

a network virus/worm sensor operable in a number of modes arranged to detect a 
computer virus or a computer worm in the networ k, the virus sensor switching from a first 
mode to a second mode when the computer virus is detected, wherein in the first mode, 
such that the bandwidth of the network is minimallv affected substantiallv unaffected in a 
first mode in that original data packets are not removed from or added to network traffic, but 
are copied, and the copied data packets are used in detecting the computer virus, and 
wherein in the second mode, and wherein when the virus sensor detects the computer virus, 
the virus sensor switches to a second mode, wherein the original data packets are not copied 
and wherein a subset of data packets determined to be infected or suspected of being infected are 
not retumed to the network; 

a network virus sensor self registration module coupled to the network virus/worm sensor 
arranged to automatically self register the associated network virus/worm sensor; 

a controller storing a rules engine used to store and source a plurality of detection rules 
for detecting computer viruses and worms and using statistical results of observed abnormal 
events as recorded and monitored by a virus monitor, the abnormal events defined in policies and 
the plurality of detection rules in the virus monitor, and wherein the virus monitor generates an 
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abnormal behavior report which is evaluated by a server which determined an action to perform; 
and 

an anti- virus agent creation module arranged to create an anti- virus agent or create a 
detection module, an infection module and a payload. 

2. (currently amended) A system as recited in claim 1, wherein during aft 
the initialization phase of the network virus/worm sensor, the network virus/worm self 
registration module collects selected network environmental information and network 
configuration information. 

3. (previously presented) A system as recited in claim 2, wherein when the 
distributed network is an IP based type network, the selected network environmental information 
includes an IP address for all of the relevant client devices included in the IP-based type 
network. 

4. (original) A system as recited in claim 3, wherein the network configuration 
information includes self configuration information related to an appropriate IP address for the 
network virus/worm sensor. 

5. (original) A system as recited in claim 4, wherein the network configuration 
information includes locations of all relevant server computers. 

6. (original) A system as recited in claim 5, wherein selected ones of the 
relevant server computers are identified as controllers. 
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7. (original) A system as recited in claim 6, wherein each of the identified 
controllers includes a rules engine used to store and source a plurality of detection rules for 
detecting computer viruses and worms and an outbreak prevention policy (OPP) distribution and 
execution engine that provides a set of anti- virus policies, protocols, and procedures suitable for 
use by a system administrator for both preventing viral outbreaks and repairing any subsequent 
damage caused by a viral outbreak. 

8. (original) A system as recited in claim 7, wherein during the initialization 
phase, each of the rules engines associated with each of the identified controllers are updated 
with a set of detection rules for detecting computer viruses and worms. 

9. (original) A system as recited in claim 7, wherein during the initialization 
phase, each of the outbreak prevention policy distribution and execution engines associated with 
each of the identified controllers are updated with a set of anti- virus policies, a set of anti- virus 
protocols, and a set of anti- virus procedures. 

10. (canceled) 

1 1 . (currently amended) In a distributed network having a number of server 
computers and associated client devices and a network virus/monitor sensor operable in a 
number of modes, a method of self registering a network virus defense system comprising: 

forwarding original data packets or a copy of the original data packets to the virus 
sensor using a traffic controller module coupled to the virus sensor; 

detecting a computer virus or a computer worm in the networ k, the virus sensor 
switching from a first mode to a second mode when the computer virus is detected, wherein 
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in the first inode>. such that the bandwidth of the network is minimailv affected substantially 
unaffected in a first mode in that original data packets are not removed from or added to 
network traffic, but are copied, and the copied data packets are used in detecting the 
computer virus, and wherein in the second mode, and wherein when the virus sensor 
detects the computer virus, the virus sensor switches to a second mode, wherein the original 
data packets are not copied and wherein a subset of data packets determined to be infected or 
suspected of being infected are not retumed to the network; 

automatically self registering the network/virus worm sensor using a network virus 
sensor self registration module coupled to the sensor; 

storing a rules engine used to store and source a plurality of detection rules for detecting 
computer viruses and worms and using statistical results of observed abnormal events as 
recorded and monitored by a virus monitor, the abnormal events defined in policies and the 
plurality of detection rules in the virus monitor, and wherein the virus monitor generates an 
abnormal behavior report which is evaluated by a server which determines an action to perform; 

providing virus cleaning agents from known viruses and unknown viruses subsequently 
analyzed; and 

creating a detection module that detects whether a client device is infected with a virus 
and triggers the introduction of an anti- virus infection module so that the virus in the client 
device is overwritten and an anti-virus agent payload is created based on features of the selected 
computer virus and which performs as a cleaning/repairing payload capable of cleaning and 
repairing damage done to the client device. 

12. (previously presented) A method as recited in claim 11, further 

comprising: 



TRNDPOIO/SC 



5 



during an initialization phase of the network virus/worm sensor, collecting selected 
network environmental information and network configuration information by the network 
virus/worm self registration module. 

13. (previously presented) A method as recited in claim 12, wherein when the 
distributed network is an IP based type network, the selected network environmental information 
includes an IP address for all of the relevant client devices included in the IP-based type 
network. 

14. (original) A method as recited in claim 13, wherein the network 
configuration information includes self configuration information related to an appropriate IP 
address for the network virus/worm sensor. 

15. (original) A method as recited in claim 14, wherein the network 
configuration information includes locations of all relevant server computers. 

16. (original) A method as recited in claim 15, wherein selected ones of the 
relevant server computers are identified as controllers. 

17. (previously presented) A method as recited in claim 16, wherein each of 
the identified controllers includes a rules engine used to store and source a plurality of detection 
rules for detecting computer viruses and worms and an outbreak prevention policy (OPP) 
distribution and execution engine that provides a set of anti-virus policies, protocols, and 
procedures suitable for use by a system administrator for both preventing viral outbreaks and 
repairing any subsequent damage caused by a viral outbreak. 
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18. (original) A method as recited in claim 17, further comprising: 
during the initialization phase, 

updating each of the rules engines associated with each of the identified controllers with a 
set of detection rules for detecting computer viruses and worms. 

19. (original) A method as recited in claim 17, further comprising: 
during the initialization phase, 

updating each of the outbreak prevention policy distribution and execution engines 
associated with each of the identified controllers with a set of anti- virus policies, a set of anti- 
virus protocols, and a set of anti- virus procedures. 

20. (previously presented) A method as recited in claim 11, wherein in a first 
mode the bandwidth of the network is substantially unaffected by the network virus/monitor 
sensor, the network virus/monitor sensor not removing or adding network traffic but copying 
data packets, and wherein when the network virus/worm sensor detects a computer virus or a 
computer worm, the virus/worm sensor switches to a second mode such that only those data 
packets infected by the computer virus are not returned to the network. 

21 . (currently amended) In a distributed network having a number of server 
computers and associated client devices, computer program product for self registering a 
network virus defense system, that includes a network virus/worm sensor operable in a number 
of modes arranged to detect a computer virus or a computer worm in the network, comprising: 

computer code for forwarding original data packets or a copy of the original data 
packets to the virus sensor using a traffic controller module coupled to the virus sensor; 
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computer code for detecting a computer virus or a computer worm in the networ k, the 
virus sensor switching from a first mode to a second mode when the computer virus is 
detected, wherein in the first mode, such that the bandwidth of the network is minimallv 
affected substantially unaffected in a first mode in that original data packets are not removed 
from or added to network traffic, but are copied, and the copied data packets are used in 
detecting the computer virus, and wherein in the second mode, and wherein when the virus 
sensor detects the computer virus, the virus sensor switches to a second mode, wherein the 
original data packets are not copied and wherein a subset of data packets determined to be 
infected or suspected of being infected are not retumed to the network; 

computer code for automatically self registering the sensor by a network virus sensor 
self registration module coupled to the sensor; 

computer code for storing a rules engine used to store and source a plurality of detection 
rules from detecting computer viruses and worms and using statistical results of observed 
abnormal events as recorded and monitored by a virus monitor, the abnormal events defined in 
policies and the plurality of detection rules in the virus monitor, and wherein the virus monitor 
generates an abnormal behavior report which is evaluated by a server which determines an action 
to perform; 

computer code for p roviding virus cleaning agents from known viruses and unknown 
viruses subsequently analyzed; and 

computer code for creating a detection module that detects whether a client device is 
infected with a virus and triggers the introduction of an anti- virus infection module so that the 
virus in the client device is overwritten and an anti- virus agent payload created based on features 
of the selected computer virus and performs as a cleaning/repairing payload capable of cleaning 
and repairing damage done to the client device; and 

computer readable medium for storing the computer code. 
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22. (original) Computer program product as recited in claim 21, further 
comprising: 

computer code for collecting selected network environmental information and network 
configuration information by the network virus/worm self registration module during an 
initialization phase. 

23. (original) Computer program product as recited in claim 22, wherein when 
the network is an IP based type network, the selected network environmental information 
includes an IP address for all of the relevant client devices included in the network. 

24. (original) Computer program product as recited in claim 23, wherein the 
network configuration information includes self configuration information related to an 
appropriate IP address for the network virus/worm sensor. 

25. (original) Computer program product as recited in claim 24, wherein the 
network configuration information includes locations of all relevant server computers. 

26. (original) Computer program product as recited in claim 25, wherein selected 
ones of the relevant server computers are identified as controllers. 

27. (original) Computer program product as recited in claim 26, wherein each of 
the identified controllers includes a rules engine used to store and source a plurality of detection 
rules for detecting computer viruses and worms and an outbreak prevention policy (OPP) 
distribution and execution engine that provides a set of anti-virus policies, protocols, and 
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procedures suitable for use by a system administrator for both preventing viral outbreaks and 
repairing any subsequent damage caused by a viral outbreak. 

28. (original) Computer program product as recited in claim 27, further 
comprising: 

during the initialization phase, 

updating each of the rules engines associated with each of the identified controllers with a 
set of detection rules for detecting computer viruses and worms. 

29. (original) Computer program product as recited in claim 27, further 
comprising: 

computer code for updating each of the outbreak prevention policy distribution and 
execution engines associated with each of the identified controllers with a set of anti-virus 
policies, a set of anti- virus protocols, and a set of anti- virus procedures during the initialization 
phase. 

30. (previously presented) Computer program product as recited in claim 21, 
wherein in a first mode the bandwidth of the network is substantially unaffected by the network 
virus/monitor sensor, the network virus/monitor sensor not removing or adding network traffic 
but copying data packets, and wherein when the network virus/worm sensor detects a computer 
virus or a computer worm, the virus/worm sensor switches to a second mode such that only those 
data packets infected by the computer virus are not retumed to the network. 
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